Approximately 1.7 million Air Canada customers who use the airline’s web app have been instructed to reset passwords after the company admitted it suffered a serious security breach. As Sean O’Shea reports, at least 20,000 of those customers had data stolen.

In a news release, the airline explained that it noticed “unusual login activity” between Aug. 22-24 and “immediately took action.”

All users of the app — about 1.7 million customers — have been locked out of their accounts until they update their passwords. Users have also been emailed instructions on how to log in to the app and change passwords.

“This is no longer a bunch of kids in a basement hacking for fun. This is all organized crime,” cyber security expert Daniel Tobok and CEO of Cytelligence told Global News.

“We have to pay attention to the data that we, ourselves, are sharing with any apps or Third Parties. Your name and address, yes, but not your NEXUS card number or your passport number,” Tobok advises.

“With cyber security, you always have to think worst-case scenario. What if the company cannot protect my NEXUS card? What if the compay cannot protect my passport number?” he says. Once organized crime gets your data, they are not going to delete it. They stole it because they want to try to use it, for identity theft or financial fraud.

From the time a data breach occurs, typically it is anywhere from 9 to 17 months before that information surfaces in another category, says Tobok.